Qualcomm ≫ Qcm4325 Firmware

Transient DOS while handling PS event when Program Service name length offset value is set to 255.

Memory corruption when BTFM client sends new messages over Slimbus to ADSP.

memory corruption when an invalid firehose patch command is invoked.

Memory corruption as fence object may still be accessed in timeline destruct after isync fence is released.

Memory corruption can occur if VBOs hold outdated or invalid GPU SMMU mappings, especially when the binding and reclaiming of memory buffers are performed at the same time.

Memory corruption while processing IOCTL call to set metainfo.

Memory corruption while allocating memory in HGSL driver.

Memory corruption while creating a fence to wait on timeline events, and simultaneously signal timeline events.

Transient DOS while parsing SCAN RNR IE when bytes received from AP is such that the size of the last param of IE is less than neighbor report.

Transient DOS while parsing the multiple MBSSID IEs from the beacon, when the tag length is non-zero value but with end of beacon.